On Thu, Aug 04, 2011 at 11:23:20AM -0700, Devendra K. Modium wrote:
> Hi Daniel,
>
> Thanks for the reply.
>
> I am trying to access GPU devices from inside
> the containers.
>
> (Only way I know)For this I need to add the GPU device numbers in ACL/(device whiteist)
> to get access to these devices from inside the container.
Ah ha, so you're not really wanting todo PCI device passthrough, but
rather just want to be able to access something like /dev/video0 inside
the container ?
We don't currently have a way to enable that in LXC, but our host device
passthrough was sort of anticipating this need. To support this in libvirt
I think we'd need to define something new in the XML along the lines of
<hostdev mode='capability' type='video'>
<source name='video0'/>
</hostdev>
> I found that libvirt lxc driver currently allows set of devices while starting the container.
>
> I have browsed through the libvirt lxc code and I believe there is no elegant way
> currently where you can request the devices to be allowed inside LXC container using the
> usual libvirt xml file.CORRECT ME IF I AM WRONG.
That is correct, we can't currently do that.
Having said that, since LXC is not currently at all secure[1], you can
in fact just modify the cgroups device ACL once inside the container
Daniel
[1] There is work going on upstream to introduce proper user/capability
namespaces into the kernel which will plug the biggest missing piece
of security. We also aim to integrate sVirt into LXC to enable use
of MAC to plug the DAC security holes.
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|